readme

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

========================================================================
Firestorm v0.5.x - A Network Intrusion Detection System
Copyright (c) 2002 Gianni Tedesco <gianni at scaramanga dot co dot uk>
This software is released under the GNU GPL version 2 (see: COPYING)
========================================================================

0x0. Contents
-------------
 0x0. Contents
 0x1. Introduction
 0x2. Compiling From Source Code
 0x3. Configuring the Firestorm Sensor
 0x4. Configuring for Your Network
 0x5. Starting Firestorm
 0x6. Viewing firestorms Logs
 0x7. Advanced Configuration
 0x8. Known Bugs
 0x9. Reporting Bugs
 0xa. Package Locations
 0xb. Feature List
 0xc. Supported Protocols


0x1. Introduction
-----------------
 Firestorm is an extremely high performance network intrusion detection
 system (NIDS). At the moment it just a sensor but plans are to include
 real support for analysis, reporting, remote console and on-the-fly
 sensor configuration. It is fully pluggable and hence extremely
 flexible.

 At the moment firestorm is still in early development, but a lot of the
 features you would expect of a sensor are already there.


0x2. Compiling From Source Code
-------------------------------
 If you have installed from a binary package (such as RPM) you can skip
 straight to step 3.

 I will assume that you already have the source code unpacked in a
 directory somewhere and you are in that directory. You don't need to
 be root to compile firestorm, but you will need root access if you
 want to install it.

 The first step is to compile firestorm and all of its plugins by
 issuing the following command at the prompt:

  $ ./configure --sysconfdir=/etc && make

 After this step completes successfully you will need to su to root to
 install it. The following command should do just that:

  $ su -c "make install"

 Now all firestorm needs is a user on your system to run as (Firestorm
 never runs as root). Type the following commands when logged in as
 root:

  # groupadd -g 303 fstorm
  # useradd -M -s /bin/false -d /var/firestorm -u 303 -g 303 fstorm 
  # chown -R fstorm.fstorm /var/firestorm

 There will now be a user and a group on your system named 'fstorm' with
 the uid 303 and gid 303. These numbers are important, do not change
 them.

 If you want to uninstall firestorm at some later date that is easy to
 do. Type the following commands from your source dir.

  # make uninstall
  # userdel fstorm 2>/dev/null
  # groupdel fstorm 2>/dev/null


0x3. Configuring the Firestorm Sensor
-------------------------------------
 For this step you will need to be logged in as root. You can issue the
 following command at the terminal to become root.

  $ su -

 Your shell prompt should change from a $ to a # - this means you now
 have the almighty power of root.

 Open the firestorm configuration file in your favourite editor:

  # vi /etc/firestorm.conf

 The default config file should be pretty well commented. Probably the
 The first you will want to change is where firestorm captures packets
 from. The default line should look something like:

  capture pcap if='any'

 This instructs firestorm to capture packets from all configured
 network interfaces using the libpcap library. Most installations will
 want to use a specific interface. To capture from a specific
 interface (eg: eth0) change the line to:

  capture pcap if='eth0'


0x4. Configuring for Your Network
---------------------------------
 Firestorm needs to know a few small details about your network in
 order to more efficiently be able to detect attackers.

 Open the file /var/firestorm/firestorm.rules in your favourite text
 editor.

 You will see a snort rule file which defines a number of variables.
 The main variables that you really need to set are HOME_NET and
 EXTERNAL_NET. HOME_NET should be set to the address (in CIDR notation)
 of your netwok. For example if all your computers IP addresses are in
 the range 10.0.0.1 to 10.255.255.254 you would need to modify the
 HOME_NET line to look something like this:

  var HOME_NET 10.0.0.0/8

 The external net defaults to being !$HOME_NET, meaning anything that
 isn't HOME_NET is external to us. Most of the signatures that ship
 with firestorm will only alert on attacks coming from EXTERNAL_NET
 going to HOME_NET. The default choice is often best here.

 Custom snort rules can also be added to the end of this file.

 NOTE: You don't actually have to use CIDR notation, you can if you
 perfer use address/mask notation. An example, if your network address
 is 192.168.0.0 and your netmask is 255.255.255.0 you can do:

  var HOME_NET 192.168.0.0/255.255.255.0


0x5. Starting Firestorm
-----------------------
 To begin monitoring your network simply type the following command at
 the terminal while logged in as root:

  # firestorm-nids

 Firestorm should now be up and running successfully. You can view
 firestorms status log using the following command.

  # less /var/firestorm/firestorm.log

 You can shutdown firestorm cleanly by sending SIGTERM thus:

  # killall firestorm-nids

 Now that you have firestorm up and running please report success to the
 firestorm mailing list <firestorm@scaramanga.co.uk> - If at this point
 something doesn't work see section 0x9 - reporting bugs.


0x6. Viewing firestorms Logs
----------------------------
 By default firestorm will log alerts in to:

  /var/firestorm/log/alert.elog

 When the file gets too old (60mins) or too big (1024KB) firestorm will
 rotate it with a unique filename beginning with '@'. In order to view
 these logfiles you will need to use the 'firecat' tool. Here is a usage
 exmple (you can also type firecat --help):

  firecat -f ascii -o nohex alert.elog

 This will print the contents of alert.elog to screen using the 'ascii'
 output plugin. There are more output plugins to choose from which I
 will briefly document below:

  ascii: dumps detailed ascii alerts
   nohex               disables hex dumping of the packet payload.
   file='filename'     write output to a file
   len=12              controls the line length of hex dumps

  log: dumps one-line parseable log entries
   file='filename'     write output to a file

  dump: dumps to tcpdump format logs
   file='filename'     write output to a file
   proto='ipv4'        write output in a specific protocol

 Note that alert.elog is not always up to date, you can force a log
 rotation by sending the HUP signal to the firestorm-nids process:

   killall -HUP firestorm-nids


0x7. Advanced Configuration
---------------------------
 For linux systems with CONFIG_MMAP_PACKET_SOCKET in  the kernel you can
 replace  'pcap'  with  'linux' in your /etc/firestorm.conf capture line
 and  add a new  parameter 'blocks'. This  will  allow firestorm to  run
 much more efficiently. The line should look something like:

  capture linux if='any' blocks=1024

 Where  blocks is a suitably large number depending on how much RAM  you
 want  to use up for your machine.  Check  the messages file to see what
 the  blocks value translates to in kilobytes of RAM  (it depends on the
 MTU of the interface selected).


0x8. Known Bugs
---------------
 There is no way of keeping the size of the log directory down
 currently. This will change over the next few versions with the onset of
 remote logging functionality.

 There is no mtu detection unless using linux capture device. For pcap
 one must specify the mtu=XXX option. You also need to set promiscous
 mode by hand.

 We still really badly need tcp stream reassembly. This is being worked
 on and should not be more than a few versions away.


0x9. Reporting bugs
-------------------
 You should send a description of your problem to the mailing list
 <firestorm@scaramanga.co.uk>. You should include the relevent logs and
 configs which are listed below:

  /etc/firestorm.conf
  /var/firestorm/firestorm.log
  /var/firestorm/firestorm.rules

 You should also include information such as which operating system you
 are using and which version. Which version of firestorm you are using.
 For compile time errors you may want to report the compiler and
 version. In general supply any information you think we might need to
 reproduce the problem.


0xa. Package locations
----------------------
 CVS:
  # To login (The password is 'cvs')
  cvs -d:pserver:anonymous@cvs.ecsc.co.uk:/home/cvs login

  # To checkout a working copy of firestorm
  cvs -d:pserver:anonymous@cvs.ecsc.co.uk:/home/cvs co firestorm

  # To update a working copy to the latest version
  cvs -d:pserver:anonymous@cvs.ecsc.co.uk:/home/cvs update

 Source code:
  http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z.tar.gz

 SRPM package:
  http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z-1.src.rpm

 RPM package (i386/Linux):
  http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z-1.i386.rpm

 RPM package (ppc/Linux):
  http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z-1.ppc.rpm

 DEB packages:
  *** PACKAGERS WANTED ***


0xb. Feature List
-----------------
 Fully pluggable.
 Capture from network via libpcap.
 High performance OS Specific capture module for Linux.
 Capture from libpcap files (normal AND redhat extended).
 Packet decode engine fully supports encapsulation.
 Decode plugins included for many protocols (see below).
 Comprehensive snort rule support.
 Boyer Moore string match (including embedded binary data)
 Easy to configure; just one config file
 Can run chroot and with lowered privs (when started as root)
 Preprocessors to allow supplementary modes of detection (eg: anomaly)
 Full IP defragmentation (passes fragroute evasion tests)
 TCP stateful inspection with window tracking
 Some limited application layer decoding
 Remote log to prelude-manager http://www.prelude-ids.org/
 EXTREMELY fast and scalable signature engine
 Configurable token-bucket rate-limiting of all alerts


0xc. Supported Protocols
------------------------
 TCP/IP Suite (IPv4,TCP,UDP,ICMP,IGMP)
 802.1q (vlan)
 Can differentiate EthernetII and 802.3 and novell IPX frames
 Can decode LLC and SNAP in 802.3
 IPX, SAP
 Linux cooked sockets (SLL) in two different formats
 GRE (generic routing incapsulation)
 IrDA (infra-red)
 ARP/Appletalk ARP